There were nearly 200 hacks last year of the payment systems used by retailers, hotels and restaurants. Most of them could have been prevented without spending much money, according to a new report from Verizon’s cybersecurity team.

The theft of 40 million credit and debit card numbers from Target last year raised new questions about whether companies that handle personal information spend enough on cybersecurity. Information protection has turned into a $70 billion market with a slew of new firms offering new security gadgets and services.

But in its annual report on the scope of cybercrime, Verizon suggests basic hygiene at major retailers could go a long way in protecting payment systems.

Some of the suggestions seem pretty basic:

Make sure passwords aren’t factory defaults.

Don’t use social media accounts on point-of-sale systems.

Run the payment system on a separate system from corporate email and other functions.

“It’s not necessarily about spending more money. It’s about doing the right things,” said Chris Porter, one of the report’s authors and a managing principal at Verizon’s Cyber Intelligence Center. “There are things organizations can do that require elbow grease and work.”

Verizon’s recommendations are particularly notable because the company helped investigate the Target breach. It has repeatedly declined to comment on the incident.

In that hack, intruders initially gained access by stealing the login credentials for a ventilation contractor in Pennsylvania. This led investigators to conclude that Target’s network was too interconnected, creating openings for fraudsters, people familiar with the investigation have said.

The report also notes that hackers successfully stole data from POS systems 198 times last year – down from previous years. These fraudsters, however, have become more advanced, Mr. Porter said. Many of those cases weren’t disclosed.

In total, Verizon counted 1,367 data breaches in 2013 based on tabulation of statistics from the U.S. government, cybersecurity companies and foreign law enforcement. It’s impossible to compare that to years prior because Verizon collects data from different sources each year.